Risky Biz News: Tor network hit with DDoS attacks over past seven months

In other news: BSI has a new chief; Operation Magicflame disrupts major Asian cybercrime gang; Cl0p gang's Linux ransomware decrypted.

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The Tor Project says that over the past seven months, the availability of the Tor network has been disrupted by a series of massive DDoS attacks.

The organization says that during some moments, "the attacks impacted the network severely enough that users could not load pages or access onion services."

The Tor Project says the methods and targets of these attacks have changed over time, and its engineers currently can't determine with certainty who was behind the attacks or their intentions.

After speaking to several Tor relay operators, RiskyBizNews understands the attacks are not taking place at the same time against the entire Tor network. Instead, the attackers target a small number of relays and rotate to new relays after a few days.

The Tor community has been well aware of the issue. No Tor server operators have reported receiving ransom demands following the attacks.

Some members successfully developed some basic DDoS mitigations, but as the Tor Project explains in the blog post, attackers also updated the way they carry out attacks.

Breaches and hacks

SperaxUSD crypto-heist: A threat actor exploited a bug in the protocols of the SperaxUSD cryptocurrency service and stole roughly $300,000 from the company.

Vesuvius incident: UK engineering company Vesuvius says it suffered a cybersecurity breach. The company says it shut down affected systems and is working to investigate the incident and restore systems. The company has more than 10,000 employees across the world and is known for its metal and ceramics work and molten metal flow engineering.

RSAWeb ransomware attack: A ransomware attack has been identified as the source of a days-long outage that has impacted the services of South African telco and cloud hosting provider RSAWeb. The incident took place on February 1, and the company took days to fully recover, according to a notification the company sent to its customers. The company says the attack affected its website, internet fiber, mobile, hosting, VoIP, and PBX services. [Press coverage in MyBroadband]

General tech and privacy

Tutanota's new whistleblower system: Secure email provider Tutanota has launched Secure Connect, a new whistleblower system that lets companies add a secure and anonymous reporting channel. The project is similar to the Guardian's SecureDrop. The difference is that it's not open-source, and it requires a Tutanota Pro account.

Dashlane apps go open-source: Password manager Dashlane has open-sourced its Android and iOS apps. This includes all their apps, not just the password manager ones.

Prototype pollution protection: Google security engineers are working on a proposal to mitigate prototype pollution vulnerabilities by introducing a secure opt-in mode in JavaScript processing environments, such as web browsers. [More in the Daily Swig]

"Pollution vulnerabilities exist because JS properties can be changed by default by anyone who has a reference to them. [...] Pollution bugs are a type of data-only attacks that lie outside of the threat model of many existing mitigations, like the Content Security Policy."

NIST cryptography updates: US NIST has updated the Federal Information Processing Standard known as FIPS 186-5, which recommends which cryptographic algorithms and techniques should be used for the generation and verification of digital signatures. Currently, the standard recommends algorithms such as RSA, ECDSA, and EdDSA. This update introduces two new Edwards curves recommended for use with the EdDSA algorithm. These are Ed25519 and Ed448.

Government, politics, and policy

New BSI lead: Claudia Plattner, Director General of Information Systems at the European Central Bank (ECB), has been appointed as the new chief of Germany's cybersecurity agency, the Federal Office for Information Security, also known as the BSI. Plattner will formally take up her new role in July this year. Plattner replaces Arne Schoenbohm, who was dismissed last October after German media found ties to Russia's intelligence services in one of his past private-sector endeavors.

India bans more Chinese apps: The Indian government has blocked 138 betting apps and 94 loan lending apps, citing alleged "Chinese links." The ban was pushed through as an "emergency" to protect the integrity of its citizens' personal data. India has also blocked more than 300 Chinese apps in recent years. [Additional coverage in TechCrunch]

Cybersecurity execs join NSTAC: The White House has added multiple cybersecurity experts and executives to the country's National Security Telecommunications Advisory Committee (NSTAC). The agency's role is to advise the president on critical national security and emergency preparedness topics related to the telecom sector. The inclusion of cybersecurity experts shows the growing role of internet-based threats in the telecommunications field. Cybersecurity executives added to NSTAC this week include:

  • Mandiant CEO Kevin Mandia
  • Rapid7 CEO Corey Thomas
  • Trellix CEO Bryan Palma
  • Microsoft Vice President of Security Policy Scott Charney
  • Comcast CISO Noopur Davis
  • Cox Communications CISO Kimberly Keever

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

Cybercrime and threat intel

Ryuk money launderer pleads guilty: A 30-year-old Russian national named Denis Dubnikov has pleaded guilty in a US court to money laundering charges. According to court documents, Dubnikov received and helped launder more than $400,000 worth of cryptocurrency that came directly from a ransom payment to the Ryuk ransomware gang. Although Dubnikov cofounded two cryptocurrency exchanges named EggChange and Crypto Coyote, the transfer was sent to an address under his personal control. Dubnikov was arrested in the Netherlands and extradited to the US in November 2021.

Optus data extortionist sentenced: A Sydney teen has been sentenced to 18 months of Community Correction Order and 100 hours of community service for attempting to blackmail Optus customers. Dennis Su, 19, from Sydney, pleaded guilty last year to extorting Australians who had their data leaked in the Optus breach. Su—who was not involved in the breach itself—admitted to taking some of the leaked Optus data, contacting users via SMS, and demanding an AUS$2,000 payment, or he'd use their personal details to commit "financial crimes." Su was detained in early October, a week after sending out the SMS messages.

Operation Magicflame: Interpol and Hong Kong police have dismantled the server infrastructure of an international cybercrime syndicate. The crackdown, part of what Interpol called Operation Magicflame, targeted a cybercrime group that used SMS phishing to redirect users to download one of 563 malicious apps they had hosted on servers around the world. Officials said the gang ran 258 servers, 192 of which were hosted across Hong Kong data centers. The gang used the malicious apps to steal data from infected devices and then steal funds from bank accounts. According to the South China Morning Post [non-paywalled version], the group appears to be made up of suspects from mainland China, the Philippines, and Cambodia and targeted users located mostly in Japan and South Korea.

Leaky online stores: A survey of more than 2,000 online stores has discovered that more than 250, representing roughly 12%, are leaving backup files exposed on the internet. Sansec, a security firm specializing in security services for online stores, says the stores exposed archives, such as ZIP, SQL, and TAR files, in public web folders without access restrictions. The company says threat actors can scan for these files and then use the configuration files within them to gain access to store resources and user data.

"These backups appear to contain database passwords, secret administrator URL, secret API keys, and full customer data (PII)."

UAC-0050: Ukraine's CERT team is warning about a series of attacks against government agencies trying to install the Remcos RAT. The agency attributed the attacks to UAC-0050, a threat actor it's been tracking since 2020.

Killnet bot IP addresses: SecurityScorecard has published a list of more than 17,000 IP addresses that were used by the Killnet pro-Russian hacking group to launch DDoS attacks against western targets. Blocking the IPs should mitigate some of the group's attacks.

NCC annual report: The NCC Group has published its annual threat report. Some of its conclusions are below.

  • Ransomware attacks decrease by 5% in 2022 (2,667 in 2021 to 2,531 in 2022).
  • The industrial sector was the most targeted by criminal gangs for the second year running.
  • North America (44%) and Europe (35%) were the most targeted regions.
  • DDoS incidents and business email compromise (BEC) both take a larger share of attack types as threat actors explore triple extortion methods.

Malware technical reports

ESXiArgs data can be recovered: Yöre Grup CTO Enes Sönmez has found a way and published a step-by-step guide on how to decrypt servers encrypted by the ESXiArgs ransomware.

Darkside ransomware: South Korean security firm ASEC has published a technical breakdown of the Darkside ransomware strain.

Clop ransomware decrypter: Security firm SentinelOne has released a free decrypter for the Cl0p ransomware's recently discovered Linux variant. The Cl0p gang was first seen deploying a Linux ransomware variant in December 2022 in an attack that hit a Colombian university. The decrypter will allow the gang's past victims to recover files encrypted on Linux systems. SentinelOne says their decrypter exploits a flaw in the gang's encryption algorithm. The original Cl0p ransomware strain, designed to encrypt Windows systems, remains unbreakable (for now).

Paradies Clipper: Perception Point researchers published a technical analysis on the Paradies Clipper, currently advertised on hacking forums. The malware works by replacing a victim's cryptocurrency address inside the Windows clipboard with one owned by the attacker. The malware can steal cryptocurrencies such as Bitcoin, Litecoin, Ethereum, Dogecoin, Ripple, Dash, Monero, and Neo.

Stealerium: SecurityScorecard's Vlad Pasca has a technical write-up on the Stealerium, an open-source stealer, keylogger, and clipper that was open-sourced on GitHub last year and which is currently seeing a wider adoption by various threat actors. The malware collects data such as app passwords, desktop and webcam screenshots, and other local data, which it sends to a remote Discord channel.

APTs and cyber-espionage

APT-C-35 (Donot): Qihoo 360's team has published a report on recent attacks carried out by the APT-C-35 (Donot) group. Recent attacks used PPT or XLS files laced with macros to distribute malware.

Vulnerabilities and bug bounty

CVE-2022-44268 (ImageMagick): The ImageMagick team has fixed360'slnerability tracked as CVE-2022-44268 that could lead to remote code execution by just uploading a malformed PNG file on a website/app. Proof of concept exploit code has been released online this week.

CVE-2023-22501 (Jira): Atlassian has released a security update to fix a major vulnerability in the authentication component of its Jira service that could allow an attacker to impersonate another user and gain access to a Jira Service Management instance.

"Access to these tokens can be obtained in two cases: (1) If the attacker is included on Jira issues or requests with these users, or (2) If the attacker is forwarded or otherwise gains access to emails containing a "View Request" link from these users. Bot account " are particularly susceptible to this scenario."

Netgear pre-auth RCE: Security researcher Jean-Jamil Khalife has published a technical write-up about a pre-auth RCE in Netgear Nighthawk routers. The issue was patched last year, but no CVE.

"The vulnerability we found made it possible to obtain a shell on the router which could subsequently lead to access to third-party subnets."

Toyota network compromise: Security researcher Eaton Zveare has compromised and gained full control of Toyota's Global Supplier Preparation Information Management System (GSPIMS), a web app used by Toyota employees and their suppliers to coordinate projects, part", and purchases related to Toyota's global supply chain. Zveare says he gained full system admin access by abusing a vulnerability in the company's "improperly secured" API, which allowed him to read emails and documents from more than 14,000 global Toyota customers. The researcher says he responsibly disclosed the issue to Toyota last November, and the app was secured within three weeks.

"I have reported so far to various vendors, Toyota's response was the fastest and most effective. I was very impressed with how quickly they responded and fixed the issue. Some companies can be slow to respond or fail to respond at al", so this experience was refreshing."

Money Lover app leak: Trustwave researchers say they identified a major leak in Money Lover, a wallet app developed by Finsify. The leak allegedly exposes email addresses and wallet names. Researchers published their findings after the app vendor stopped responding to its responsible disclosure attempts.

Android security updates: ...for February 2023 are out!

Infosec industry

Cyber-insurance stats: Cyber-insurance company Coalition says its policyholders reported insurance claims at a 70% lower frequency than the industry average. The company credited this to its "active insurance" strategy, where they scan company networks and notify policyholders about major issues on their networks, requiring them to fix issues.

BlueHat 2023: The speaker line-up for Microsoft's BlueHat 2023 security conference has been announced. The conference will take place on February 8 and 9.

BRUNCHCON 2022 videos: Talks from the BRUNCHCON (now SLEUTHCON) 2022 security conference, which took place last November, are available on YouTube.

Risky Business podcast host Patrick Gray recorded this video with Okta, which shows users how to enable phishing-resistant authentication. It also goes into how enabling phishing-resistant auth for some users can benefit the whole org, even if it's not turned on everywhere.